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D&DNo. 08212/0200353-USO 

SYSTEM AND METHOD FOR ENABLING AUTHOMZATION OF A 
NETWORK DEVICE USING ATTRIBUTE CERTIFICATES 

Field of the Invention 

5 The present invention relates to computer security, and in particular, to a 

system and method for authorizing access to a resource over a network using an 
attribute certificate. 

Background 

Earlier attempts to associate different authorization-related attributes to 
10 clients often relied on flie client IP address as a means to identify the client. However, 
this technique proved not to be very effective, since the IP address of a network device 
may easily be changed. Furthermore, proliferation of Network Address Translation 
(NAT) devices and Virtual Private Networks (VPNs) makes it difficult for an access 
server to identify a particidar client solely based on the client's IP address. 
15 Commonly used Kerberos tickets provide a means for applications to 

share a cryptographicially authenticated credential among several applications. 
However, Kerberos tickets only indicate that a particular user has successfully 
authenticated to a central network server, thereby establishing a single user session. . 
Kerberos tickets do not convey user capabilities and they do not span miiltiple user 
20 sessions. 

The use of hardware tokens for authentication addresses a related need. 
A hardware token allows a user to prove its identity as well as its possession of a 
particular physical object. In return, those proven assertions may lead to an expanded 
access right for a network service. However, a hardware token also does not provide a 
25 general means to convey user capabilities of the client. 

Thus, it is with respect to these considerations and others that the present 
invention has been made. 
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Brief Description of the Drawings 
Non-limiting and non-exhaustive embodiments of the present invention . 
are described with reference to the following drawings. In the drawings, like reference 
numerals refer to like parts throughout the varioiis figures unless otherwise specified. 
5 For a better understanding of the present invention, reference will be 

made to the following Detailed Description of the Invention, which is to be read in 
association with the accompanying drawings, wherein: 

FIGURE 1 illustrates one embodiment of an enviroimient in which the 
invention operates; 

10 FIGURE 2 illustrates a functional block diagram of one embodiment of a 

network device that may be configured to operate as a client; 

FIGURE 3 illustrates a flow diagram generally showing one embodiment 
of a process for using an attribute certificate to authorize a client; 

FIGURE 4 illustrates message flows involved in one embodiment of the 
IS present invention; 

FIGURE 5 illustrates message flows involved in another embodiment of 
the present invention; and 

FIGURE 6 illustrates message flows involved in yet another embodiment 
of the present invention. 

20 Detailed Description of the Preferred Embodiment 

The present invention now will be described more fiilly hereinafter with 
reference to the accompanjdng drawings, which form a part hereof, and which show, by 
way of illustration, specific exemplary embodiments by which the invention may be 
practiced. This invention may, however, be embodied in many different forms and 

25 should not be construed as limited to the embodiments set forth herein; rather, these 
embodiments are provided so that this disclosure will be thorough and complete, and 
will fully convey the scope of the invention to those skilled in the art. Among other 
things, the present invention may be embodied as methods or devices. Accordingly, the 
present invention may take the form of an entirely hardware embodiment, an entirely 
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software embodiment or an embodiment combining software and hardware aspects. 
The following detailed description is, therefore, not to be taken in a limiting sense. 

The terms "comprising,** "mcludmg,** "containing,** "having,** and 
"characterized by,** refers to an open-ended or inclusive transitional construct and does 
S not exclude additional, unrecited elements, or method steps. For example, a 

combination that comprises A and B elements, also reads on a combination of A, B, and 
C elements. 

The meaning of "a," "an," and "the" include plural references. The 
meaning of "in" includes "in" and "on." Additionally, a reference to the singular 
1 0 includes a reference to the plural unless otherwise stated or is inconsistent with the 
disclosure herein. 

The term "or** is an inclusive "or** operator, and includes the term 
"and/or,** unless the context clearly dictates otherwise. 

The phrase "in one embodiment,** as used herein does not necessarily 
1 S refer to the same embodiment, although it may. 

The term "based on** is not exclusive and provides for being based on 
additional factors not described, unless the context clearly dictates otherwise. 

The term "flow** includes a flow of packets through a network, the term 
"connection** refers to a flow or flows of messages that typically share a common 
20 source and destination. 

Briefly stated, the present invention is directed to a method and system 
for authorizing a network device using attribute certificates. 

Different network access capabilities may be provided to a user 
depending on properties of the user and device used to access the network. The 
25 invention may provide a secure way for the user to demonstrate that it has been 

approved for access to the network. An Attribute Certificate (AC) may be a digitally 
signed assertion including information about capabilities, restrictions, and the like, of 
the user and/or the device used to access the network. If the Attribute Certificate is 
issued upon completion of an automated security scan of a client device, the AC may be 
30 employed to provide a secure way for the device to inform an access server of the client 
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automated security scan results at a later time. If the AC is generated based on 
capabilities of the user^ it provides the access server secure information needed to make 
network resources available to the user, based on the AC. 

The AC may be issued to a user, which may present it to the access 
S server firom different client network devices. The AC may also be issued to a client 
network device, through which different users may access the same resource. 

Illustrative Operating Enviroimient 

FIGURE 1 illustrates one embodiment of an environment in which a 

10 system may operate. Not all the components may be required to practice the invention, 
and variations in the arrangement and type of the components may be made without 
depaitmg from the spirit or scope of the invention. 

As shown in the figure, system 100 includes Local Area Network / Wide 
Area Network (LAN/WAN) 104, client 102, access server 106, attribute autiiority 108, 

IS and attribute repository 110. Client 102 and access server 106 are in communication 
over LAN/WAN 104. Access server 106 is in further commimication with attribute 
authority 108 and attribute repository 110. Attribute authority 108 and attribute 
repository 1 10 are also in communication with each other. 

LAN/WAN 104 is enabled to employ any form of computer readable 

20 media for communicating information from one electronic device to another. In 

addition, LAN/WAN 104 may include the Internet in addition to local area networks, 
wide area networks, direct chaimels, such as through a universal serial bus (USB) port,^ 
other forms of computer-readable media, and any combination thereof. On an 
interconnected set of LANs, including those based on differing architectures and 

25 protocols, a router acts as a link between LAN's, enabling messages to be sent firom one 
to another. Also, communication links within LANs typically include twisted pair or 
coaxial cable, while commimication links between networks may utilize analog 
telephone lines, fiill or fractional dedicated digital lines including Tl, T2, T3, and T4, 
Integrated Services Digital Networks (ISDNs), Digital Subscriber Lines (DSLs), 

30 wireless links including satellite links, or other communications links known to those 
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skilled in the art. Furtheimore, remote computers and other related electronic devices 
may be remotely connected to either LANs or WANs via a modem and temporary 
telephone link. In essence LAN/WAN 104 may include any conununication 
mechanism by which information may travel between network devices, such as client 
5 102 and access server 106. 

Client 102 may be any network device capable of communicating over a 
network, such as LAN/WAN 104, to access serv^ 106, and the like. The set of such 
devices may include devices that typically connect \ising a wired conununications 
medium such as personal computers, multiprocessor systems, microprocessor-based or 

1 0 piogrammable consumer electronics, network PCs, and the like, that are configured to 
opeiate as a network device. The set of such devices may also include devices that 
typically connect tising a wireless communications medium such as cell phones, smart 
phones, pagers, walkie talkies, radio frequency (RF) devices, infrared (IR) devices, 
CBs, integrated devices combining one or more of the preceding devices, and the like, 

IS that are configured as a network appliance. Alternatively, client 102 may be any device 
that is capable of connecting using a wired or wireless communication medium such as 
a PDA, POCKET PC, wearable computer, and any other device that is equipped to 
communicate over a v^ed and/or wireless communication mediimi, operating as a 
network device. As such client 102 may be configured to operate as a web server, 

20 cache server, file server, router, file storage device, gateway, switch, bridge, firewall, 
proxy, and the like. 

Access server 106 may include any computing device or devices capable 
to provide authorization to a resource over LAN/WAN 104. Devices seeking access to 
the resource over the netwoik, such as client 102 may be authorized by access server 

25 106 using an attribute certificate. Devices that may operate as access server 106 

include, but are not limited to, personal computers, desktop computers, multiprocessor 
systems, microprocessor-based or programmable consumer electronics, network PCs, 
web servers, cache servers, file servers, routers, gateways, switches, bridges, firewalls, 
proxies, and the like. The resource over the network may be any network service 

30 available to network devices coimected to the network, such as client 102. 
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Attribute authority 108 includes any computing device or devices 
capable to determine an attribute of a network device seeking authorization such as 
client 102. Attribute authority ICS may further include network devices that verify an 
attribute of a network device such as client 102. Attribute autiiority 108 may also be 
S configured to operate as a web server^ cache server, file server, router, file storage 
device, gateway, switch, bridge, firewall, proxy, and the like. In one embodiment 
attribute authority 108 and access server 106 may reside in one computing device. 

Attribute repository 110 may include any computing device or devices 
capable of receiving an attribute certificate firom access server 106, attribute aufliority 

10 1 08, and the like, and maintaining the attribute certificate ready for distribution. 
Devices that may operate as attribute repository 110 include, but are not limited to, 
personal computers, desktop computers, multiprocessor systems, microprocessor-based 
or programmable consumer electronics, network PCs, servers, and the like. Attribute 
repository 110 may also include a web service, an FTP service, an LDAP service, and 

15 the like, configured to manage the attribute certificate, and related information. In one 
embodiment, attribute repository 110 may include a storage structure for maintaining 
trust information, such as public keys, signatures, access control lists, revocation lists, 
and the like. Attribute repository 110 may include subscription information, observer 
mechanisms, and the like, that enable a network device, such as access server 106, and 

20 the like, to monitor an availability of the attribute certificate, and associated 
infoimation. 

Although not shown, attribute authority 108 and attribute repository 1 10 
may also be in direct communication with client 102. 

FIGURE 2 illustrates a fimctional block diagram of one embodiment of 
25 network device 200 in which the present invention may be practiced. Network device 
200 provides one embodiment for access server 106 of FIGURE 1. It will be 
appreciated that not all components of network device 200 are illustrated, and that 
network device 200 may include more or less components than those shown in the 
figure. Network device 200 may operate, for example, as a personal computer, a 
30 desktop computer, a multiprocessor system, a microprocessor-based or programmable 
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consumer electronic, a network PC, a web server, a cache server, a file server, a router, 
agateway, a switch, a bridge, a firewall, a proxy, and the like. The communications 
may take place over a network, such as LAN/WAN 104 in FIGURE 1, the Internet, or 
some other conmiunications network. 

5 As illustrated in FIGURE 2, network device 200 includes central 

processing unit (CPU) 212, video display adapter 214, read only memory (ROM) 232, 
random access memory (RAM) 216, hard disk drive 228, input/output interface (I/O) 
224, a CD-ROM/DVD-ROM drive 226, and a network interface unit 210 
interconnected via a bus 222. 

10 RAM 216, ROM 232, CD-RGM/DVD-ROM drive 226, and hard disk 

drive 228 are computer storage media, which may include volatile and nonvolatile, 
removable and non-removable media implemented in any method or technology for 
storage of information, such as computer readable instructions, data structures, program 
modules or other data. Examples of computer storage media include RAM, ROM, 

15 EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks 
(DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk 
storage or other magnetic storage devices, or any other medium that can store the 
information and that can be accessed by a computing device. 

Network interface unit 210 is constructed for use with various 

20 communication protocols including the TCP/IP and UDP/BP protocol. Network 
interface unit 210 may include or interface with circuitry and components for 
transmitting packets, and the like, over a wired and/or wireless communications 
medium. Network interface unit 210 is sometimes referred to as a transceiver. Network 
Interface Card Cf^IC), and the like. Network device 200 may also include an I/O 

25 interface 224 for communicating v^th extemal devices or users. 

RAM 2 1 6 is generally interconnected with ROM 232 and one or more 
permanent mass storage devices, such as hard disk drive 228. RAM 216 stores 
operating system 220 for controlling the operation of network device 200. The 
operating system 220 may comprise an operating system such as UNIX, LINUX^'^, 

30 Windows™, and the like. 
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In one embodiment, RAM 216 stores program code for application 
software 250, authorization protocol 240, and Attribute Certificate (AC) evaluation 
protocol 242, and the like, for performing authorization functions of network device 
200. Application software 250 may include any computer program. Authorization 

5 protocol 240 is directed to controlling access to a network resource as described in 

FIGURE 3. AC evaluation protocol 242 may be a complementary protocol that enables 
the authorization protocol 240 to evaluate an attribute of a network device, such as 
client 102 of FIGURE 1, desiring access to the resource over the network. The attribute 
may be based, in part, on a capability of client 102, a condition to be satisfied for 

1 0 another attribute to be valid, a result of an automated security scan, and the like. . 

General Operation 

FIGURE 3 illustrates a flow diagram generally showing process 300 for 
authorizing a network device using attribute certificates, according to one embodiment 
15 of the invention. Process 300 may, for example, be implemented in access server 106 
of FIGURE 1. 

As shown in FIGURE 3, process 300 begins, after a start block, at block 
302, where an attribute of the network device desiring authorization, such as client 102 
of FIGURE 1 , is determined. The attribute may be based, in part, on a capability or 
20 characteristic of the network device. For example, the network device may be a laptop 
issued to a particular user, and the like. In this example, the attribute may be based, in 
part, on the statuis of security software running on the network device, and the like. 

The attribute, determined at block 302, may also be based, in part, on a 
condition to be satisfied for another attribute to be valid. In the above example, the 
25 primary attribute may be the assertion that the network device has an anti-virus software 
installed. The other attribute may be based, in part, on a condition that the anti-virus 
software is running on the network device, and the antivirus software is configured with 
virus definitions that are no more than 5 days old, as a fiirther example. 

In another embodiment, the attribute, determined at block 302 nlay 
30 fiirther be based, in part, on a status of the network device desiring authorization, such 

{S:\821 2\0200353-us0\80002667.DOC nDiDllBniilDIDlEDDIflllBDIilinO }8 



Copy provided by USPTO from the IFW Image Database on 03/31/2005 



as a result of an automated security scan. For security reasons, an automated security 
scan of the network device may be performed and the result associated with the AC. 
Associating an automated security scan with the AC may eliminate the need to perform 
repeated automated security scans every time the network device requests authorization, 
5 since the AC may provide evidence of a recent automated security scan. Upon 
determination of the attribute to be associated with the AC, process 300 proceeds to 
block 304. 

At block 304, the AC is genemted based, in part, on the attribute 
determined at block 302. The AC may be generated by the device performing the 

10 authorization, such as access server 106 of FIGURE 1, the network device itself, a third 
party network device, such as the attribute authority 108 of FIGURE 1, and the like. 

Processing then proceeds to block 306 of FIGURE 3, where the AC is 
stored. The storage may also be performed by the device performing the authorization, 
such as access server 106 of FIGURE 1, the network device itself, a third party network 

15 device, such as the attribute authority 108 of FIGURE 1, and the like. Upon completion 
of block 306, process 300 may wait until a request for authorization is received at block 
308. 

At block 308, the network device presents the authorizing device with a 
request for authorization. Although not shown, block 308 may include actions by the 
20 authorizing device including, but not limited to, retrieving the AC from the network 
device, a storage device, an external storage database, and the like. 

Process 300 flows to block 310, where a decision is made, to determine 
whether the network device is authenticated for connection to the network. If 
authentication is verified, processing proceeds to decision block 312. If authentication 
25 is not verified, processing proceeds to block 316, where communication is terminated. 
Processing may then return to a calling process to perform other actions. 

At block 312, the validity of the AC is detennined. In determining the 
validity of the AC a number of factors may be used including, but not limited to, valid 
date range of the AC, device identifier recorded in the AC, digital signature, and the 
30 like. If the AC is valid, process 300 proceeds to block 314, where the network device is 

{S:\8212\0200353-us0\80002667.DOC OlDIIIlIIiOIlllIIiaiQDIIIiaiimilP )9 



Copy provided by USPTO from the li=W Image Database on 03/31/2005 



authorized. If the AC is not valid, processing proceeds to block 316, where 
communication is terminated. Processing may then return to a calling process to 
perform other actions. 

It will be understood that each block of the flowchart illustrations 
S discussed above, and combinations of blocks in the flowchart illustrations above, can be 
implemented by computer program instructions. These program instructions may be 
provided to a processor to produce a machine, such that the instructions, which execute 
on the processor, create means for implementing the actions specified in the flowchart 
block or blocks. The computer program instructions may be executed by a processor to 
10 cause a series of operational steps to be performed by the processor to produce a 
computer-implemented process such that the instructions, vdiich execute on the 
processor, provide steps for implementing the actions specified in the flowchart 
block or blocks. 

Although the invention is described in terms of conununication between 
1 S a network device and an access server, the invention is not so limited. For example, the 
conununication may be between virtually any resource, including but not limited to 
multiple clients, multiple servers, and any other device, without departing fix>m the 
scope of the invention. 

Accordingly, blocks of the flowchart illustrations support combinations ' 
20 of means for performing the specified actions, combinations of steps for performing the 
specified actions and program instruction means for performing the specified actions. It 
will also be understood that each block of the flowchart illustrations, and combinations 
of blocks in the flowchart illustrations, can be implemented by special purpose 
hardware-rbased systems, which perform the specified actions or steps, or combinations 
25 of special purpose hardware and computer instructions. 

Illustrative Embodiments 

FIGURE 4 illustrates one embodiment of a message flow diagram for a 
system similar to the system shown in FIGURE 1. As shown in the diagram, message 
30 flow 400 includes netwoilc resource 402, attribute repository 404, access server 406, 
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and client 408 across the top. Client 408 and access server 406 may operate 
substantially similar to client 102 and access server 106, respectively, of FIGURE 1, 
Time may be viewed as flowing downward in the figure. 

As shown in FIGURE 4, the message flows are divided into two groups 

5 separated by timeline 410. The first group comprises message flows involved in 
generating and storing an AC. This process may be repeated, if client 408 desires to 
store a certificate with a new access server, the stored AC is no longer valid for any of a 
variety of reasons, and the like. The process begins with access server 406 determining 
an attribute of client 408 to be associated with the AC. The attribute may be based, in 

10 part, on a capability of client 408. For example, client 408 may be a network device 
used by a user possessing temporary approval to utilize print services provided by a 
network resource. In this example, access server 406 may verify the printing capability 
approval for the network resource as the attribute to be associated with the AC. 

Access server 406 may then generate the AC based, in part, on the 

1 5 attribute determined above. Following generation of the AC, access server 406 may 
send the AC to attribute repositoiy 404, where the AC is stored. 

The authorization process, as shown below timeline 410, in FIGURE 4, 
is typically started by receiving of a request for authorization fit>m client 408. Upon 
leceiving the request for authorization fix>m client 408, access server 406 authenticates 

20 client 408. Authentication may be based on a lo^n password, a digital certificate, a 
biometric parameter, and the like. 

Upon authentication, access server 406 requests the AC firom attribute 
repository 404. Attribute repository 404 sends the AC to access server 406, which 
verifies the AC's validity. The validity of the AC may be verified based, in part, on any 

25 one of a mmiber of factors including, but not limited to, the date range of the AC, digital 
signature on the AC, comparison of the identity listed in the AC with the authenticated 
identity of client 408, and the like. 

If the AC is valid, access server 406 authorizes client 408 based, in part, 
on the attribute associated with the AC. Further using the example above, the 
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authorization provides client 408 with access to printing capabilities of network 

resource 402 based, in part, on the attribute associated with the AC 

FIGURE 5 illustrates a message flow diagram for a network system in 
accordance with another embodiment of the present invention. As shown in the 
5 diagram, message flow 500 includes network resource 502, access server 504, and 
client 506 across the top. Client 506 and access server 504 may operate substantially 
similar to client 102 and access server 106, respectively, of FIGURE 1 . Time may be 
viewed as flowing downward in the figure. 

As shown in FIGURE 5, the message flows are divided into two groups 

10 separated by timeline 508. The first group comprises message flows involved in 

generating and storing an AC. The first part of the process is substantially similar to the 
first process described in FIGURE 4, above timeline 410. One difference between the 
two processes is access server 504 sends the AC to client 506 instead of an attribute 
repository, and client 506 stores the AC. 

1 5 The authorization process, as shown below timeline 508, in FIGURE 5, 

is typically started by receiving of a request for authorization from client 506. Upon 
receiving the request for authorization firom client 506, access server 504 authenticates 
client 506. Authentication may be based on a login password, a digital certificate, a 
biometric parameter, and the like. 

20 Upon authentication, access server 504 verifies that the client is in 

possession of a valid AC. The validity of the AC may be verified based, in part, on any 
one of a number of factors including, but not limited to, the date range of the AC, digital 
signature on the AC, comparison of the identity listed in the AC with the authenticated 
identity of client 506, and the like. 

25 If the AC is valid, access server 504 authorizes client 506 based, in part, 

on the attribute associated with the AC. Using the example described in FIGURE 4 
above, the authorization provides client 506 with access to printing capabilities of 
network resource 502 based, in part, on the attribute associated with the AC. 

FIGURE 6 illustrates a message flow diagram for a network system in 

30 accordance with a further embodiment of the present invention. As shown in the 
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diagram, message flow 600 includes access server 602» client 604, and attribute 
authority 606 across the top. Client 604 and access server 602 may operate 
substantially similar to client 102 and access server 106, respectively, of FIGURE 1. 
Time may be viewed as floMong downward in the figure. 
S As shown in FIGURE 6, the message flows are divided into two groups 

separated by timeline 608. The first group comprises message flows involved in 
generating and storing an AC. The process begins with an automated security scan of 
client 604 performed by attribute authority 606. Attribute authority 606 generates the 
AC based, in part, on a result of the automated security scan of client 604, and stores the 
10 AC. 

The authorization process, as shown below timeline 608, in FIGURE 6, 
is typically started by receiving of a request for authorization fix>m client 604. Upon 
receiving the request for authorization fix>m client 604, access server 602 authenticates 
client 604. Authentication may be based on a login password, a digital certificate, a 
15 biometric parameter, and the like. 

Upon authentication, access server 602 requests the AC fi'om attribute 
authority 606. Attribute authoritjr 606 send the AC to access server 602, which verifies 
the validity of the AC. The validity of the AC may be verified based, in part, on any 
one of a number of factors including, but not limited to, flie date range of the AC, digital 
20 signature on the AC, and the like. 

If the AC is valid, access server 602 authorizes client 604 based, in part, 
on the attribute associated with the AC. In this embodiment, the authorization provides 
client 604 with access to network resources. 

The above specification, examples, and data provide a complete 
25 description of the manufacture and use of the composition of the invention. Since many 
embodiments of the invention can be made without departing from the spirit and scope 
of the invention, the invention resides in the claims hereinafter appended. 
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WE CLAIM: 



1. A method for authorizing a network device, comprising: 
determining an attribute based, in part, on a capability of the networic 

device; 

generating an attribute certificate based, in part, on the attribute; 
storing the attribute certificate including the attribute; and 
if the attribute certificate is valid, authorizing access to a resource over a 
network based, in part, on the attribute associated with the attribute certificate. 

2. The method of Claim 1 , wherein the attribute is fimher determined based, 
in part, on an automated security scan of the network device. 

3. The method of Claim 1 , wherein the attribute is fiirther determined based, 
in part, on a condition to be satisfied. 

4. The method of Claim 1 , wherein the attribute is fiirther associated with a 
group of network devices. 

5. The method of Claim 1, wherein the attribute is further associated with a 
group of users. 

6. The method of Claim 1 , wherein the attribute certificate is generated by at 
least one of the network device, an access server, and an attribute authority. 

7. The method of Claim 1, wherein the attribute certificate is stored in at 
least one of the network device, and an attribute repository. 

8. The method of Claim 7, wherein the attribute certificate is provided to an 
access server through the use of at least one of a cookie, a program, and a manual upload. 
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9. A network device for managing authorization to a resource over a 
network, comprising: 

a first component configured to generate an attribute certificate, wherein 
the attribute certificate is based, in part, on a capability of another network device; 

a second component, coupled to the first component, configured to store 
the attribute certificate; and 

a third component, coupled to the second component, configured to 
authorize the other network device to the resource over the network based, in part, on the 
attribute of the other network device associated with the attribute certificate. 

10. The network device of Claim 9, wherein the first component is fiirther 
configured to generate the attribute certificate based on a condition to be satisfied. 

1 1 . The network device of Claim 9 fiirther comprising a fourth component 
that is configured to perform an automated security scan of the other network device. 

12. The network device of Claim 11, wherein the first component is fiirther 
configured to generate the attribute certificate based on the automated security scan of the 
other network device. 

13. The network device of Claim 9, wherein the second component is further 
configured to send the attribute certificate to the other network device to be stored, and 
the third component it fiirther configured to receive the attribute certificate. 

14. A network device for managing authorization to a resource over a 
network, comprising: 

a means for generating an attribute certificate, wherein the attribute 
certificate is based on a capability of another network device; 

a means for storing the attribute certificate; and 
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a means for authorizing the other network device to the resource over the 
network based, in part, on the attribute of the other network device associated with the 
attribute certificate. 
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Abstract 

Methods and devices are directed to authorizing a network device to a 
resource over a network. An access server determines based, in part, on an attribute of 
the network device associated with the attribute certificate, whether the network device 

5 may be authorized access to the resource over the network. The attribute may be 

associated with a capability granted to the network device, a condition to be satisfied for 
the attribute to be valid, and the like. The attribute may belong to a group of network 
devices, or one or more users accessing the network through the network device. In one 
embodiment, the attribute certificate may be provided based on an automated security 

1 0 scan of the network device. In another embodiment, the access server may make the 
attribute available to a network resource associated with the access server. 



Customer No. 38879 
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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
DECLARATION FOR PATENT APPLICATION 



As a below named inventor, I hereby declare that: 

My residence, post office address* and citizenship are as stated below next to my name. 

I believe I am an original, first and joint inventor of the subject matter which is described and 
claimed and for which a patent is sought on the invention entitied: 

SYSTEM AND METHOD FOR ENABLING AUTHORIZATION OF A NETWORK 
DEVICE USING ATTRIBUTE CERTIFICATES 

die specification of which is attached hereto. 

I hereby state that I have reviewed and understand the contents of the above identified 
specification, including the claims, as amended by an amendment, if any, specifically referred 
to herem. I do not know and do notbelieve that the same was ever known or used in the 
United States of America before my or our invention thereof or patented or described in any 
printed publication in any country before my or our invention ttieieof, or more than one year 
prior to this application, or in public use or on sale in the United States of America more than 
one year prior to this application, that the invention has not been patented or made the subject 
of an inventor's certificate issued before the date of this application in any country foreign to 
the United States of America on an application filed by me or my legal representatives or 
assigned more than twelve months prior to this application. 

I acknowledge the duty to disclose all information known to me that is material to 
patentability in accordance with Title 37, Code of Fedeml Regulations, § L56. 

FOREIGN PRIORITY CLAIM 

I hereby claim foreign priority benefits under Title 35, United States Code § 1 1 9(a)-(d) of any 
foreign application(s) for patent or inventor's certificate listed below and have also identified 
below any foreign application for patent or inventor's certificate having a filing date before 
that of the application on which priority is claimed: 

fx] no such foreign applications have been filed 

(~| such foreign application have been filed as follows: 
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EARLIEST FOREIGN APPLICATION(S). IF ANY FILED WITHIN 12 MONTHS 
(6 MONTHS FOR DESIGN) PRIOR TO THIS U.S. APPLICATION 



Application Number 


Countiy 


Date of Filing 


Priority Claimed 
Under35USCn9 








Yes No 








Yes No 








Yes No 



ALL FOREIGN APPHCATION(S), IF ANY FILED MORE THAN 12 MONTHS 
(6 MONTHS FOR DESIGN) PRIOR TO THIS U.S. APPLICATION 



Application Number 


Countiy 


Date of Filing 





















CLAIM FOR BENEFIT OF EARLIER U.S. PROVISIONAL APPLICATIONS 



I hereby claim priority benefits under Title 35, United States Code §119(e), of any United 
States provisional patent appIication(s) listed below: 

fx] no such U.S. provisional applications have been filed. 

[ I such U.S. provisional application have been filed as follows: 



Application Number 


Date of Filing 


Priority Claimed 
Under 35 USCI19 






Yes No 






Yes No 






Yes No 



CLAIM FOR BENEFIT OF EARLIER U.S./PCT APPLICATION(S) 

I hereby claim the benefit under Title 35, United States Code, §120 of the United States 
application(s) listed below and, insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States application in the manner provided by 
the first paragraph of Title 35, United States Code, §112, 1 acknowledge the duty to disclose 
all information that is material to patentability in accordance with Title 37, Code of Federal 
Regulations, §1.56 which became available to me between the filing date of the prior 
application and the national or PCT international filing date of this application: 
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Attorney Docket No.: 082 12/0200353-USO 

[x] no such U.SyPCT applications have been filed. 

|~| such U.S7PCT application have been filed as follows: 



Application Number 


Date of Filing 


Status 

(Patented/Pending/Abandoned) 





















I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be tme; and further that these 
statements were made with the knowledge that willful false statements and the like so made 
are punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United 
States Code and that such willful false statements may jeopardize the validity of the 
application or any patent issued thereon. 

I hereby appomt the practitioners under Customer Number 
38879 

all of Darby & Darby P.C., P.O. Box 5257, New York, New York 10150-5257, joinUy, and 
each of them severally, my attorneys at law/patent agent(s), with fiiU power of substitution, 
delegation and revocation, to prosecute this application, to make alterations and amendments 
therein, to receive the patent, and to transact all business in the S. Patent and Trademark 
Office connected ttierewith. 

Please mail all correspondence to Jamie L. Wiegand, whose address is: 

Darby & Darby P.C. 
P.O. Box 5257 
New Yoric, New York 10150-5257 

Please direct telephone calls to: Jamie L. Wiegand at (206) 262-8915. 
Please direct fiacsimiles to: (212) 753-^6237 
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City of mailing address:: 

State or Province of mailing address:: 

Postal or Zip Code of mailing address:: 



Inventor 
US 

Full Capacity 

Jeremey 

Barrett 

Sugar Land 

TX 

US 

3330 Big Horn Ct. 
Sugar Land 
TX 

77478 



Correspondence Infomiation 

Con-espondence Customer Number: 



38879 



{S:\8212\02Q0353-usO\B0008121 .DOC imnnHOflD] 



lim }Page # 2 (m/izam 



CoDv orovlded bv USPTO from the IFW fm^^ n««^i. — --^f^- f^-- 



Representative Information 



Representative Customer Number:: 



38879 



Assignee Information 

Assignee name:: 

Street of mailing address:: 

City of mailing address:: 

State or Province of mailing address:: 

Postal or Zip Code of mailing address:: 



Nolda, Inc. 

6000 Connection Drive 

Irving 

TX 

75039 
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